{"affected":[{"ecosystem_specific":{"binaries":[{"krb5":"1.19.2-150300.25.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.1","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Micro%205.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.19.2-150300.25.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"krb5":"1.19.2-150300.25.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.2","name":"krb5","purl":"pkg:rpm/suse/krb5&distro=SUSE%20Linux%20Enterprise%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.19.2-150300.25.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for krb5 fixes the following issues:\n\n- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using\n  RC4-HMAC-MD5 (bsc#1241219).\n\nKrb5, as a very old protocol, supported quite a number of ciphers that are not longer up to current cryptographic\nstandards.\n\nTo avoid problems with those, SUSE has by default now disabled those alorithms.\n\nThe following algorithms have been removed from valid krb5 enctypes:\n\n- des3-cbc-sha1\n- arcfour-hmac-md5\n\nTo reenable those algorithms, you can use allow options in `krb5.conf`:\n\n```\n[libdefaults]\nallow_des3 = true\nallow_rc4 = true\n```\n","id":"SUSE-SU-2025:03227-1","modified":"2025-09-15T12:33:26Z","published":"2025-09-15T12:33:26Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202503227-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1241219"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-3576"}],"related":["CVE-2025-3576"],"summary":"Security update for krb5","upstream":["CVE-2025-3576"]}